Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
What is the connection between Bobrov, Surkov and your payment data?
According to experts from Sansec, during this summer, cybercriminals hacked about 5% of all Adobe Commerce and Magento stores, including such major brands as Ray-Ban, National Geographic, Cisco, Whirlpool and Segway. The attacks were carried out by seven different groups that exploited the CosmicSting vulnerability to inject malicious code.
The study found that since the publication of the CVE-2024-34102 vulnerability (also known as CosmicSting) in June, hackers have breached more than 4275 online stores. Despite the warnings about the threat, many businesses were at risk and were attacked using payment skimmers on payment pages.
After the vulnerability was classified as critical on July 8, massive automated attacks began. Thousands of secret cryptographic keys were stolen, and their previous version was not automatically revoked when the system was updated. Adobe has released guidance on how to manually remove outdated keys, but not all store owners have followed these guidelines.
Each of the seven hacking groups sought to use CosmicSting to steal Magento's secret cryptographic keys and access customer data. The received keys made it possible to generate API authorization tokens, through which hackers implanted payment skimmers on the payment page. Interestingly, the vulnerability prevented the first hacking groups from blocking access to other attackers, which led to a struggle for control of the same store.
The groups used various methods to hide and inject malicious code. To make them easier to track and distinguish, Sansec experts have named them after rodent animals. And it is very funny that these names were obtained by transliteration from the Cyrillic alphabet:
For example, a group tracked by experts under the pseudonym "Beavers" disguised the malware with invisible Unicode characters, which turned into JavaScript when decrypted. The Voles group injected malicious code using a simple script through the cdnstatics.net resource. At the same time, the "Groundhogs" used the number 42 to encrypt their malicious code, working through suspicious domains.
Other groups, such as the Chipmunks, Hamsters, and Squirrels, have also waged large-scale campaigns, employing their unique methods of cracking and distributing malicious code. For example, the "Squirrels" used a combination of CosmicSting and CNEXT to execute arbitrary code on the victim's server, injecting backdoors and hidden processes.
Sansec strongly recommends that Magento and Adobe Commerce store owners update their systems to the latest version, as well as modify and revoke old cryptographic keys. The use of specialized monitoring tools on the server side will also help protect the store from such attacks.
Massive CosmicSting attacks became possible due to the lack of awareness of store owners and the difficulty of implementing the correct protection measures. Sansec reports that none of their customers have been affected by these attacks, but predicts a further increase in the number of hacked stores in the coming months, as about 75% of Adobe Commerce and Magento stores have not yet installed the necessary patches.
Source
According to experts from Sansec, during this summer, cybercriminals hacked about 5% of all Adobe Commerce and Magento stores, including such major brands as Ray-Ban, National Geographic, Cisco, Whirlpool and Segway. The attacks were carried out by seven different groups that exploited the CosmicSting vulnerability to inject malicious code.
The study found that since the publication of the CVE-2024-34102 vulnerability (also known as CosmicSting) in June, hackers have breached more than 4275 online stores. Despite the warnings about the threat, many businesses were at risk and were attacked using payment skimmers on payment pages.
After the vulnerability was classified as critical on July 8, massive automated attacks began. Thousands of secret cryptographic keys were stolen, and their previous version was not automatically revoked when the system was updated. Adobe has released guidance on how to manually remove outdated keys, but not all store owners have followed these guidelines.
Each of the seven hacking groups sought to use CosmicSting to steal Magento's secret cryptographic keys and access customer data. The received keys made it possible to generate API authorization tokens, through which hackers implanted payment skimmers on the payment page. Interestingly, the vulnerability prevented the first hacking groups from blocking access to other attackers, which led to a struggle for control of the same store.
The groups used various methods to hide and inject malicious code. To make them easier to track and distinguish, Sansec experts have named them after rodent animals. And it is very funny that these names were obtained by transliteration from the Cyrillic alphabet:
For example, a group tracked by experts under the pseudonym "Beavers" disguised the malware with invisible Unicode characters, which turned into JavaScript when decrypted. The Voles group injected malicious code using a simple script through the cdnstatics.net resource. At the same time, the "Groundhogs" used the number 42 to encrypt their malicious code, working through suspicious domains.
Other groups, such as the Chipmunks, Hamsters, and Squirrels, have also waged large-scale campaigns, employing their unique methods of cracking and distributing malicious code. For example, the "Squirrels" used a combination of CosmicSting and CNEXT to execute arbitrary code on the victim's server, injecting backdoors and hidden processes.
Sansec strongly recommends that Magento and Adobe Commerce store owners update their systems to the latest version, as well as modify and revoke old cryptographic keys. The use of specialized monitoring tools on the server side will also help protect the store from such attacks.
Massive CosmicSting attacks became possible due to the lack of awareness of store owners and the difficulty of implementing the correct protection measures. Sansec reports that none of their customers have been affected by these attacks, but predicts a further increase in the number of hacked stores in the coming months, as about 75% of Adobe Commerce and Magento stores have not yet installed the necessary patches.
Source
